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FAIL-SAFE rftT3TPn Tf CTRf!HTT 

The present invention relates to a fail-safe 
control circuit for improving the controlling 
accuracy of a controlled device controlled by 
operation control units and, more particularly, the 
present invention is directed to a fail-safe control 
circuit which allows the operation control units to 
monitor a control signal for correctness and if any 
of the operation control units detect an error, the 
fail-safe control circuit fails-safe the controlled 
device by interrupting power thereto. 

A fail-safe control circuit is generally 
provided in control systems to force a controlled 
device into a safe state when a malfunction occurs 
and the proper operation of such a fail-safe control 
circuit is very important when it is concerned with 
the control of a device affecting people's lives. 
For example, in an anti-skid brake control for a car, 
vehicle velocity and wheel rotation are monitored and 
supplied to an operation control unit such as a 
microcomputer/microprocessor. When wheel locking is 
detected, the braking operation is released to 
prevent the wheels from slipping thereby improving 
the braking function making it possible to accurately 
stop the car. 

In an anti-skid brake control circuit, it is 
important to improve reliability, and therefore each 
control circuit is provided with a plurality of 
identical operation control units arranged in 
parallel to process the same input in synchronism 
with each other using the same clock signal. The 
operation control units control the controlled device 
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using an output signal based on majority voting type 
processing performed on the respective outputs of the 
operation control units thereby to improve 
reliability. 

In circuits arranged in the manner described 
above, an erroneous signal may be produced by the 
majority voting circuit when one half or more of the 
plurality of operation control units operate 
incorrectly. As a result, it is impossible to 
determine whether the controlled device is operating 
correctly in accordance with the control output. In 
a case where, for example, a disconnection occurs in 
a solenoid which is the controlled device, the 
desired controlling operation cannot be performed 
which may cause a serious accident. 

An object of the present invention is to 
provide a fail-safe control circuit which allows 
operation control units to check their own outputs 
and it is another object to prevent erroneous 
operation when a majority of the operation control 
units are malfunctioning and to interrupt power to a 
controlled device whenever a malfunction occurs, 
thereby putting controlled device in a fail-safe 
state . 

According to the present invention, a fail-safe 
control circuit connected to operational control 
units producing control signals and to a controlled 
device, is characterised by detection means for 
detecting coincidence between the control signals, 
activating the controlled device when coincidence 
occurs and producing a feedback signal, each 
operation control unit producing- a disagreement 
signal when the respective control signal disagrees 
with the feedback signal, and fail-safe means for 
placing the controlled device in a fail-safe state 
when at least one disagreement signal is produced. 

The control signals produced by the operation 
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control units are thus used to produce a control 
output signal for controlling the controlled device. 
The control output signal is fed back to the control 
units by the fail-safe control circuit, monitored by 
the operation control units and compared with the 
control signals produced by the respective units, if 
any of the control signals do not match the fed back 
signal, the fail-safe control circuit disengages 
power to the controlled device forcing it into a 
fail-safe state. 

In the fail-safe control circuit, coincidence 
between the result of the operations of operation 
control units is necessary to produce the control 
output signal, so that control accuracy is improved. 
Further, since each of the operation control units 
detects disagreement between its control signal and 
the fed back signal, the control mode for the 
controlled device is forced into a fail-safe mode 
when a disagreement is detected by any of the 
operation control units. Thus, it is possible to 
perform fail-safe control while supervising all of 
the control system including the controlled load. 

An example of a circuit constructed in 
accordance with the invention will now be described 
with reference to the accompanying diagram. 

The figure shows an example of a fail-safe 
control circuit according to the present invention. 
Identical operation control units l x - l n receive the 
same control input signal IN and the same clock 
signal CP generated by a clock pulse generating 
circuit 2. Each operation control unit lj - i n 
normally performs identical processing to produce 
identical output control signals A 2 - A n from 
respective ports P 2 . An AND gate circuit 3 detects 
coincidence between signals A 1 - A n and produces a 
control signal B for controlling a controlled device 
4. A transistor 5 is connected between the 
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controlled device 4 and ground, and has a base 
receiving the control output signal B through 
resistor 6. A DC source 7 for energizing the 
controlled device 4 has a negative pole connected to 
ground and a positive pole connected to the 
controlled device 4 through a fail-safe controlling 
relay 8. An inverter 9 inverts a signal between the 
controlled device 4 and the transistor 5 to produce a 
control feedback signal C which is supplied to 
respective input ports 1?2 of the operation control 
units li - l n - £ ach of the control units li - l n 
compares the feedback signal C with their respective 
output control signals A^ - A n and produces a 
disagreement detection signal or power interruption 
control through port P3 whenever coincidence does not 
occur. An OR gate circuit 10 receives the 
disagreement detection signals Dj - D n and produces a 
relay control signal when any one of the operation 
control units produces a disagreement signal. A 
transistor 11 is connected between the positive pole 
of the DC source 7 and ground through a relay coil 
8a , and has a base supplied with the output of the OR 
gate 10 via a resistor 12. A diode for absorbing 
counter-electromotive force is connected in parallel 
with the relay coil 8a. 

In the above-described fail-safe control 
circuit, an input signal IN, such as a vehicle speed 
signal, a wheel rotational speed signal, etc., is 
applied in common to the operation control units 
ll - l n » T **e operation control units li - l n each 
execute the same program or operation to perform 
processing based on the received input signal IN. 
The control units lj - l n operate in synchronism with 
each other based on the commonly received clock 
signal CP produced by the clock pulse generating 
circuit 2. Upon detection of a control indicating 
condition, such as the slip value of a wheel 



0222047 



exceeding a predetermined reference value, the 
control unite 1 2 - l n produce the output signals 
A l ~ A n from their respective ports Pj. Since the 
operation control units l x - l n execute processing 
under the same conditions, the same output signals 
A l " A n wi H be produced from the respective 
operation control units l x - l n when all units are 
operating in a normal fashion. During normal 
operation, the control output signal B produced by 
the AND gate circuit 3 is a high level "H" indicating 
coincidence between output signals A 1 - A n of the 
respective control units l x - l n . The transistor 5 
is turned on when it receives the control output 
signal b at its base. When the transistor 5 is 
turned on, the controlled device 4 is driven by the 
DC source 7 since the relay contact 8 is normally 
closed, thus making the anti-skid function effective. 

When the transistor 5 is turned on and the 
controlled device 4 is operating normally, the input 
signal to the inverter 9 which is at a low level "L" 
is inverted to produce the control feedback signal C 
with a high level "H". The feedback signal C is 
supplied to the respective ports P 2 of the control 
units 1 2 - l n . The control units l x - l n compare the 
respective control output signals ^ - A n with the 
control feedback signal C, and when disagreement is 
detected therebetween, the control units 1 2 - i n 
produce the disagreement detection signals Dj - D n 
which indicate that a malfunction is occurring. 

As previously discussed, the operation control 
units l x - i n are generally microcomputers or 
microprocessors and simple source code can be 
provided in such computerized control units that will 
sample an input on port P2, compare the sample to a 
signal output from port PI, and output a disagreement 
signal through port P3 whenever the signals do not 
match. If the control units l x - i n are hard-wired 
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logic circuits, a comparator can be provided for 
comparing the two signals and producing a 
disagreement output signal as necessary. 

If only one of the disagreement detection 
signals - D n is produced, the output signal 

produced by the OR gate circuit 10 is driven to a 
high level "H". As a result, transistor 11 energizes 
relay coil 8a, so that the relay contact 8 is opened 
to cut off power supplied to the controlled device 4 
to stop the operation thereof and to bring the 
controlled device 4 into a fail-safe state. 

If a disagreement occurs among the output 
signals Ai - A n , the control output signal B is not 
produced by the AND gate 3, so that the operation of 
the controlled device 4 is stopped thereby remaining 
in the fail-safe state. That is, in the fail-safe 
control circuit, the control output signal B is 
produced only when the results of operation of all 
the control units li - l n are coincident with each 
other, providing a highly reliable device. The 
control units lj - l n compare the output signals 
Ax - A n with the control feedback signal C to 
determine whether the desired control is being 
obtained, that is, to positively detect a malfunction 
in the controlled load system including the AND gate 
3, the resistor 6, the transistor 5, the controlled 
device 4, the relay contact 8, the DC source 7, and 
the lines connecting these parts together. 
Consequently, control is exercised only when it is 
possible to perform complete control and the state is 
automatically changed into a fail-safe state when an 
abnormal condition occurs in the controlled load 
system while performing a control operation, 
resulting in a higher degree of safety and 
reliability. 

As described above, in the fail-safe control 
circuit according to the present invention, a control 
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output is sent only when coincidence is detected 
among all the respective output signals of a 
plurality control units that are arranged to process 
the same input signal in synchronism with each other 

5 based on the same clock signal. Each of the 
operation control units detects disagreement between 
its output signal and a control feedback signal so 
that when a disagreement detection signal is produced 
from any one of the operation control units, a 

10 fail-safe change-over relay is driven to change-over 
the control mode into a fail-safe state. 
Accordingly, the fail-safe control system improves 
the accuracy of the operation control units as well 
as the control system including the controlled load. 
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1. A fail-safe control circuit connected to 
operational control units (Ij - l n ) producing control 
signals (Ai - A n ) and to a controlled device (4) f the 
fail-safe control circuit being characterised by 
detection means (3,9) for detecting coincidence 
between the control signals (Aj - A n ) , activating the 
controlled device (4) when coincidence occurs and 
producing - a feedback signal (C) , each operation 
control unit (lj - l n ) producing a disagreement 
signal (Dj - D n ) when the respective control signal 
(Aj - A n ) disagrees with the feedback signal (C) , and 
fail-safe means (10,ll f 8) for placing the controlled 
device (4) in a fail-safe state when at least one 
disagreement signal (Dj - D n ) is produced. 

2. A circuit as in claim l r wherein the detection 
means (3) comprises an AND gate (3) connected to the 
operation control units (lj - l n ) and the controlled 
device (4) ; and an inverter (9) connected to the AND 
gate (3) and the operation control units (1^ - l n ) f 
and producing the feedback signal (C) . 

3. A circuit as in claim 2, wherein the detection 
means (3) further comprises a transistor (5) 
connected to the AND gate, the inverter (9) and the 
controlled device (4). 

4. A circuit as in any of claims 1 to 3, wherein 
the controlled device (4) is supplied with power by a 
power supply (7) and the fail-safe means comprises an 
OR gate (10) connected to the operation control units 
Ul ~ in)' and a relay (8) connected to the OR gate 
(10) r the power supply (7) and the controlled device 
(4) r and operated by the OR gate (10) to disconnect 
power from the controlled device (4) . 
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5. A circuit as in claim 4, wherein the fail-safe 
means further comprises a transistor (11) connected 
between the OR gate (10) and the relay (8) • 
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